How to Configure Let’s Encrypt SSL in OpenLiteSpeed Web Server

Do you know?, Google will begin mark all HTTP pages as ‘Not Secure ‘ in chrome, starting from v62. Google already planned this for coming October and started sending emails to webmasters who are yet to migrate their site to HTTPS, including us.

Google Warning

Now, it’s the time for us to move away from HTTP for better protection and interest of secure transmission of users data.

In earlier days, certificates (SSL) cost us more, but now it’s free with Let’s Encrypt. You don’t even have to spend a penny for getting SSL certificate to make the site secure.

Fyi, Let’s Encrypt is a certificate authority that provides free x.509 SSL certificate for web servers and control panel.

So, planning to move your website to HTTPS then just follow our article.

Install Certbot

To generate a certificate on any system, we should have terminal/shell access, and Certbot ACME client.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):[email protected]
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: A
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for web.itzgeek.com
Using the webroot path /usr/local/lsws/web.itzgeek.com/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/web.itzgeek.com/fullchain.pem. Your cert will
expire on 2017-11-24. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Here are the list of .pem files you see under /etc/letsencrypt/live/<yourdomain>/ directory.

Renew Let’s Encrypt Certificate

Let’s Encrypt certificates come with a validity of 90 days, and it is highly advisable to configure the cron job (Linux Scheduler) to renew Let’s Encrypt certificates before they expire.

Before you configure a cron job, run the below command to simulate the automatic renewal of your certificate.

certbot renew --dry-run

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/web.itzgeek.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for web.itzgeek.com
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/web.itzgeek.com/fullchain.pem
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/web.itzgeek.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

You can now set up a cron job for the below command to run twice per day.